CVE-2019-15298

A problem was found in Centreon Web through 19.04.3. An authenticated command injection is present in the page include/configuration/configObject/traps-mibs/formMibs.php. This page is called from the Centreon administration interface. This is the mibs management feature that contains a file filing form. At the time of submission of a file, the mnftr parameter is sent to the page and is not filtered properly. This allows one to inject Linux commands directly.

Published: Nov 27, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-15298
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
centreon / centreon_web	19.10.0	19.10.2
centreon / centreon_web	2.8.1	2.8.30
centreon / centreon_web	19.04.0	19.04.5
centreon / centreon_web	18.10.0	18.10.8

https://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04.html
https://github.com/centreon/centreon/pull/8023
https://www.certilience.fr/2019/08/CVE-2019-15298-vulnerabilit%C3%A9-centreon-command-injection

Vulnerability Database

CVE-2019-15298

Deep Security Visibility Without the Complexity